[Forensics] oBfsC4t10n2

Someone would open this discussion sooner or later. Let's help without spoilers

Comments

  • edited April 25

    There are lots of ways to solve this challenge. You can guess, you can run, or you can analyze. I found the last option the most rewarding as I learned something new.

    I would love to know how to analyze without excel, the tools I am aware off produce hard to follow output.

    joeblogg801

  • It's a pretty new phishing maldoc. Kudos to @0xdf for replacing the malicious C2 with a innocuous one so that even if you open in Excel you are not downloading and executing anything. Having said that, I did the analysis in Linux, LibreOffice Calc to be exact. Expect lots of cells, formulas, and jumping here and there.

    limbernie
    Write-ups of retired machines

  • Hi guys,
    without using excel, I've been able to find that the old "friends" are still around. I still miss the first part of the sentence tho.
    Might be my bad, not beeing able to analize or jump among cells nad formulas...I'd need a hint.

    Thanks

  • pay atention to EXCEL.EXE parent process with sysinternals tools ;)

  • edited May 1

    Very, very interesting challenge.
    Can anybody help me with flag format ?
    I have so many pieces from sheet that I can't figure out what is final goal as excel will not do evil exec. :smile:

    ADDED:

    I definitely NEED HELP:
    Thanks to @win32k and @GlenRunciter which confirmed me, I know that I have correct flag.
    What ever I tried, I am getting "Incorrect Flag" \n "Try Harder".

    Sent a message to @0xdf.
    @0xdf Thank you for interesting challenge !

  • Type your comment> @goxy2101 said:

    Very, very interesting challenge.
    Can anybody help me with flag format ?
    I have so many pieces from sheet that I can't figure out what is final goal as excel will not do evil exec. :smile:

    ADDED:

    I definitely NEED HELP:
    Thanks to @win32k and @GlenRunciter which confirmed me, I know that I have correct flag.
    What ever I tried, I am getting "Incorrect Flag" \n "Try Harder".

    Sent a message to @0xdf.
    @0xdf Thank you for interesting challenge !

    I also facing the same problem , definitely i got the right flag but when trying to submit i get an error . anyone else had that issue ?

  • edited May 2

    Same here... I put flag into a file and got the sha256sum
    24D8789F68C452B101609B5D84C736019F060468A1781EEE9282431B225E5136

  • Same here, issue on several machines. So, I guess it's the site.

  • Really sorry for any confusion, all. The original challenge was broken a bit, in that you could upload it to sites like any.run or hybridanalysis and the flag would just show up on the page. It was patched earlier this week, and a new version with a new flag is available for download. I'm really sorry to anyone who worked hard and got the old flag. The good news is, the patched document is not that different, so you shouldn't have too much issue solving again if you went the intended path.

    Sorry again for the trouble, and hope everyone enjoys!

  • @0xdf said:

    Sorry again for the trouble, and hope everyone enjoys!

    It shouldn't be too much trouble, as far as I can see you can get the flag pretty much the same way. Nice work reacting to the issue so quickly though.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @0xdf said:

    Really sorry for any confusion, all. The original challenge was broken a bit, in that you could upload it to sites like any.run or hybridanalysis and the flag would just show up on the page. It was patched earlier this week, and a new version with a new flag is available for download. I'm really sorry to anyone who worked hard and got the old flag. The good news is, the patched document is not that different, so you shouldn't have too much issue solving again if you went the intended path.

    Sorry again for the trouble, and hope everyone enjoys!

    Hey I just downloaded the file today and tried to solve it. I am also still getting the "old" flag. If I google that flag i see a lot of results in any.run. sooo I got the feeling, that the flag is new, but the file on the HTB-Servers are still the old ones. Anyone having the same issue?

  • @0xdf ,
    Thank you for an amazing challenge!

    Hack The Box

  • Hi everyone.. I am new here with very little experience, tried out 0xdf forensic challenge now i have been stuck & going in circle for like 3 days now.. didnt switch off my pc to avoid loosing progress any pointers help or assistance to get through this please..

  • edited May 14

    Woah! The hints helped a lot! Thanks @0xdf for the enticing challenge! Hints by @limbernie and @GlenRunciter were on point, damn. Big woah for me!

  • I'm lost...I extracted zlib file from the photo but have no idea what I'm supposed to do with that, or with the spreadsheet.. I read the hints in this post, but I'm not making much sense of it all being new to this. Any help?

  • found fake flag

  • The flag I found didn't work, either. Even downloaded the zip a couple more times. Will take another look and see if I found it via an unintended route where they old flag may have been left over, but should all be functional here now with the current zip file hosted at HTB?

  • Hi again i managed to get the flag 7 days back, i still got a long way to go, the back n forth struggle helped me pick up on new stuff i never knew of, persistence and great content and tools from Didier Stevens and DissectMalware helped me successfully decode & deobfuscated the malicious MS Excel file.

  • Type your comment> @chm0dx said:

    The flag I found didn't work, either. Even downloaded the zip a couple more times. Will take another look and see if I found it via an unintended route where they old flag may have been left over, but should all be functional here now with the current zip file hosted at HTB?

    I believe I'm also getting the 'old' flag as of today after working with the file from a few days ago and re-downloading today.

  • Found by using a mix of guessing and automated tools.
    Thanks to @joeblogg801 that gave me a more detailed explanation about the chall.

  • Thanks for the challenge @0xdf, interesting vector.

    If anyone is stuck, check @GlenRunciter link, and remember that you can pretty much modify anything to suit your needs, doing everything by hand may be too painful :wink:

  • edited July 31

    this challenge should be 'easier' rate now that there are tools out there to modify the 'flag' easily?
    love this challenge though, so real. thanks @0xdf.

  • Hi there,

    for some unknown reason, my libreoffice was messing up with the formulas. Not sure why, so I opened it on a Windows VM using Excel, saved the not visible thing as tabulated text, and then wrote a python script to process and de-obfuscate the thing. After that, the flag just appeared.

    Nice challenge!

    Cheers,

    Sociaslkas

Sign In to comment.